DESCRIPTION
============
This is apparent when using a login URL that points directly to the XUI login:
e.g
http://openam.example.com:8080/openam/XUI/#login/
The agent will append ?goto= to the end of this which is then parsed as the realm for login causing a failure to load. The agent should append &goto=... for this to work.
Setting the login URL to something with an & causes the agent to normalise with &goto= instead, e.g:
http://openam.example.com:8080/openam/XUI/#login/&
This works, but does not seem to be an intuitive solution. The default loginURL points to /openam/UI/Login which will then redirect correctly to XUI/#login/, however this seems like an inefficient extra step to go through each time.
RECREATION STEPS
================
Test Parameters
Managed Resource urls should include differing protocol, trailing and non trailing slashes, parameters
http://iisal.example.com
http://iisal.example.com:80
http://iisal.example.com/
http://iisal.example.com:80/
https://iisal.example.com
https://iisal.example.com:443
https://iisal.example.com/
https://iisal.example.com:443/
http://iisal.example.com/first
http://iisal.example.com:80/first
https://iisal.example.com
https://iisal.example.com:443
https://iisal.example.com/first
https://iisal.example.com:443/first
https://iisal.example.com:443/first?myparam=myvalue
https://iisal.example.com:443/first?myparam=myvalue;secondparam=secondval
https://iisal.example.com:443/first.asp?myparam=myvalue&secondparam=secondval
https://iisal.example.com:443/first&myparam=myvalue
https://iisal.example.com:443/first&myparam=myvalue
https://iisal.example.com:443/myServlet/#tag
https://iisal.example.com:443/myServlet/#tag&myparam=myvalue
https://iisal.example.com:443/first/my.png
https://iisal.example.com:443/first/second/my.png
https://iisal.example.com:443/first/*/my.png
OpenAM Login URLs should include Legacy UI and XUI and include the trailing &
http://openam.example.com:8080/openam/XUI/#login
http://openam.example.com:8080/openam/XUI/#login/
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService
http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService
http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm
http://openam.example.com:8080/openam/XUI/#login&realm=/MyRealm
http://openam.example.com:8080/openam/XUI/#login/MyRealm
http://openam.example.com:8080/openam/XUI/#login/MyRealm/
http://openam.example.com:8080/openam/XUI/#login/MyRealm/&
http://openam.example.com:8080/openam/UI/Login
http://openam.example.com:8080/openam/UI/Login/
http://openam.example.com:8080/openam/UI/Login?realm=MyRealm
http://openam.example.com:8080/openam/UI/Login?realm=MyRealm&service=LDAPService
http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm
http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm&service=LDAPService
http://openam.example.com:8080/openam/UI/Login/&realm=/MyRealm
http://openam.example.com:8080/openam/UI/Login/Login.jsp
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm&service=LDAPService
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm&service=LDAPService
Before
Create realm MyRealm
Configure agent against realm /MyRealm
Setup SSO On;ly
Before each
Clear browser cache if using a browser.
For (XUI turned off,XUI turned off)
For each url in the login url types
set the login url to be the next login url from the list (ssoadm set-attribute
For each Managed Resource URL
Send an HTTP GET to the url (curl -I "URL" could be used)
Check the HTTP code and Location returned are as expected
If you follow the url in a supported browser then the realm, service and goto parameters will be as expected and no errors will be reported.
EXPECTED OUTCOME
================
A 302 code should be produced
The location should be a valid url that will work for all supported browsers.
The key test is that the goto url should be using an ampersand for any XUI URLs or secondary parameters. For UI (or other urls) ?goto=should be used for the first query and & after that.
http://openam.example.com:8080/openam/XUI/#login&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/MyRealm/&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/XUI/#login/MyRealm/&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
For UI urls agent can't determine what the ultimate url will be since it does not know what state the XUI flag is in, so concentrate on getting the parameters correct
http://openam.example.com:8080/openam/UI/Login?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login/?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login?realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login?realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login/&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login/Login.jsp?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
After following this url, the correct login page should be displayed for the correct realm and service.
ACTUAL OUTCOME
==============
The goto parameter is incorrectly added to XUI &?. In some cases there will be an error displayed and the realm parameter may be deleted when the browser is used.
http://openam.example.com:28080/openam/XUI/#login/&realm=MyRealm&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:28080/openam/XUI/#login/&realm=MyRealm&service=LDAPService&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:28080/openam/XUI/#login/&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
http://openam.example.com:28080/openam/XUI/#login/MyRealm&service=LDAPService&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
WORKAROUND
==========
For XUI logins then put a trailing ampersand or use the old version
http://openam.example.com:8080/openam/UI/Login?realm=MyRealm
http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&
- is related to
-
OPENAM-8173 OpenAM Login URL in the agent profile should support XUI login URL
-
- Open
-
- relates to
-
OPENAM-9597 Goto URL with multiple query string parameters incorrectly decoded
-
- Resolved
-